How often do Google Cloud IP ranges change?

Google updates the list several times a week. You should never hardcode these IPs; always automate the retrieval from the official JSON feed.

What is the difference between cloud.json and goog.json?

cloud.json contains the IP ranges for Google Cloud customers (Compute Engine, etc.), while goog.json contains the ranges for all Google services, including Search and Gmail.

Can I get IP ranges by region?

Yes, the cloud.json feed includes a 'scope' field that indicates the region for most ranges.

GOOGLE CLOUD IP RANGES JSON: THE AUTHORITATIVE 2026 GUIDE

12/10/2020
Updated 8/4/2026
4-minute read
759 words

Updated for 2026: This reference has been updated with the latest authoritative JSON feed URLs and a Python automation script for syncToken tracking.

I’ve lost count of how many times I’ve seen a production outage caused by a hardcoded IP allowlist. Someone “manually” added a few GCP ranges to a corporate firewall two years ago, Google added a new CIDR block for a region, and suddenly, your webhooks are timing out and the logs are silent.

In the modern cloud era, IP-based security is often a “last resort,” but for many hybrid-cloud setups and legacy firewalls, it’s a reality we have to deal with. If you have to do it, you have to do it right—and that means automation.

Who Is This Guide For?

This guide is for Network Engineers, Security Architects, and GCP Administrators who need to manage access controls between Google Cloud and external environments (on-prem, other clouds, or third-party SaaS). If you’re tired of manual updates and want a “set and forget” way to track Google’s massive IP footprint, this is for you.

By the end of this, you’ll know:

The exact URLs for the authoritative Google Cloud IP feeds.
The difference between the various feeds (Cloud vs. Goog vs. Geofeed).
How to write a simple Python script to parse these ranges for your firewall.
Why you should probably be using IAP Security / instead of IP allowlists where possible.

The Authoritative Sources

Google provides three primary feeds. Using the wrong one is a common mistake that leads to either “too much access” (security risk) or “not enough access” (connectivity issues).

cloud.json : This is the one you probably want. It contains the public IP prefixes that Google makes available for customer resources on GCP (Compute Engine, Cloud Run, GKE, etc.).
goog.json : This is the “global” list. It includes everything Google owns, including IPs for Google Search, Gmail, and YouTube. Use this only if you need to allow access to all Google services.
cloud_geofeed : This is a specialized feed that includes geolocation metadata (ISO country/region). I use this primarily for compliance filtering where I need to ensure traffic only comes from specific jurisdictions.

Implementation: Automating the Fetch

Stop copying and pasting. Use a script to fetch and parse the feed. Here is a production-ready Python snippet I use to extract CIDR blocks for a specific region and service.

import requests
import json

def get_gcp_ips(region="europe-west1", service="Compute"):
    url = "https://www.gstatic.com/ipranges/cloud.json"
    response = requests.get(url)
    data = response.json()
    
    prefixes = []
    for entry in data['prefixes']:
        # Filter by region and service scope
        if entry.get('scope') == region and service in entry.get('service', ''):
            if 'ipv4Prefix' in entry:
                prefixes.append(entry['ipv4Prefix'])
            elif 'ipv6Prefix' in entry:
                prefixes.append(entry['ipv6Prefix'])
                
    return prefixes

# Example: Get all Compute IPs in London
london_ips = get_gcp_ips("europe-west2", "Compute")
print(f"Found {len(london_ips)} ranges: {london_ips}")

Pro-Tip: Track the Checksum

The JSON feed includes a creationTime and a syncToken. I recommend storing the syncToken in your database or a local file. Only trigger your firewall update pipeline if the syncToken has changed. This prevents unnecessary churn in your network configurations.

Better Alternatives to IP Allowlists

While tracking IP ranges is useful, I always tell my clients: “IPs are identity-lite.” They are easily spoofed or shared.

If you are trying to secure access to a GCP resource, consider these modern approaches first:

Identity-Aware Proxy (IAP): Instead of whitelisting IPs, use IAP to enforce identity-based access. It’s much more secure and requires zero firewall maintenance. I’ve written a full IAP Cloud Run Security Setup Guide / that covers this in detail.
VPC Service Controls: Use these to create a security perimeter around your resources, regardless of where the request is coming from.
Private Service Connect: If you’re connecting from on-prem, use Private Service Connect to reach Google APIs over a private IP, avoiding the public internet entirely.

Validation: Is Your Feed Fresh?

To ensure your automation is working, set up a simple monitoring check:

Check Frequency: Fetch the JSON every 24 hours. Google updates it frequently, but rarely multiple times a day.
Size Sanity Check: Ensure the number of prefixes hasn’t dropped by more than 50% unexpectedly (a sign of a corrupted fetch).
Staging First: Always push new ranges to a staging firewall/WAF before production to catch any unexpected collisions.

If you’re comparing networking strategies across clouds, my GCP vs. Azure Networking Comparison / provides a deeper look at how these two giants handle perimeter security differently.

Summary Checklist

Automated fetch from cloud.json
Filtered by scope (region) and service
Implemented syncToken tracking
Documented “Why IP allowlisting?” for future review
Evaluated IAP or Private Service Connect as alternatives

cloud networking tutorial